One-Size-Fits-All Doesn’t Make Sense

Every organization has its own unique set of business objectives, compliance requirements, policies, procedures, and technology solutions. As a result, it also has its own unique set of threats, vulnerabilities and risks. Traditional approaches to cyber risk management, including one-size-fits-all checklist assessments, spreadsheets, or paper-based systems, do not address the unique needs of your organization and often do not meet HIPAA Compliance requirements.

Frame

Improve Your Perspective on Cyber Risk

Designed for healthcare, Clearwater’s Enterprise Cyber Risk Management Solution (ECRMS) provides full visibility into where your greatest exposures lie. Unlike antiquated spreadsheet-based assessments, our IRM|Pro™ Software as a Service (SaaS) is designed to adapt dynamically to your organization’s specific systems and processes out of the box. In addition to facilitating the ongoing enterprise-wide evaluation of threats to your information assets, we enable you to effectively manage risk remediation actions, thereby improving your security posture.

Manage Cyber Risk Right

img_cyber_img2
  • Follow NIST standards – NIST SP 800 series implemented out of the box
  • Assess risk for every ePHI information asset ensuring, that there are no gaps
  • Understand which risks are the highest based on likelihood and impact
  • Reduce residual risk through risk remediation workflow management
  • Stay ahead of the evolving threat landscape with ongoing risk analysis
  • Monitor the cyber risk management system through built-in dashboards
  • Gain centralized, up-to-date documentation of your risk management process
  • Avoid OCR fines with the industry-proven by the book risk analysis solution

Holistic Enterprise Solutions Built for Healthcare

Our industry-leading ECRM Solution for healthcare, complete with our IRM|Pro™ software, manages all of your risk analysis and risk response needs. We create best-in-class, OCR-Quality™ risk analyses for hospitals, health systems, and their partners. Ones that evaluate the threats to all information assets, in all locations, including assessing the likelihood and impact of a breach. Services and programs include:

Industry Proven. Rapid ROI.

img_cyber_img1
  • 100% OCR acceptance of our risk analysis – don’t take chances
  • Prevent breaches and keep patients safe with the most comprehensive solution in the industry
  • Stay ahead. Vulnerability and threat scenarios are updated by Clearwater on an on-going basis.
  • Optimize IT spending through prioritization of security projects.
  • Increase efficiency with a streamlined, automated risk analysis and risk management process - no more spreadsheets!
  • Avoid fines and penalties – benefit from proven success
  • Efficiently address HIPAA and Meaningful Use requirements

Strategic Advisory Services

Learn about our OCR Enforcement Assistance, Strategic Security Roadmap, and more.

Based on all I’ve seen over the years, Clearwater’s risk analysis methodology and software are in the best-of-breed tier and can be seriously considered by any organization striving to meet regulatory requirements in performing HIPAA risk analysis.

LEON RODRIGUEZ
Former Director, HHS Office for Civil Rights /
Partner, Seyfarth Shaw LP

CLEARWATER SOLUTIONS
1

Risk Analysis

Comprehensive Cybersecurity Starts Here

Conducting an enterprise-wide, information asset-based HIPAA risk analysis that adheres to OCR’s guidance and provides full visibility into your organization’s exposures is no small task. A by-the-book approach to HIPAA risk analysis can be overwhelming unless you have the right tools and resources in place. Clearwater provides the most comprehensive NIST-based Security Risk Analysis solution available. Powered by IRM|Analysis™, our solution has a 100% acceptance rate from the OCR.

How we do it:

Our HIPAA Risk Analysis solution combines our proven methodology with our proprietary IRM|Analysis™ SaaS platform to deliver the most comprehensive risk analysis available. Clearwater’s risk analysis solution maps to the specific systems and processes in your organization and gauges risks based on likelihood  of a threat exploiting a vulnerability and the resulting impact to your organization.  Rely on our expertise and systematic approach to conducting an OCR-Quality™, enterprise risk analysis.

Deliverables include:

  • Subscription to our industry leading IRM|Analysis™ software
  • A detailed Risk Analysis Findings, Observations and Recommendations (FOR) report
  • A risk registry and other reports for Meaningful Use Attestation and OCR inquiry response
2

Risk Response

Be Clear. Be Confident. Be Thorough.

Part of an ongoing process of managing risks identified during the risk analysis and a key step in the overall NIST Risk Management Process. A response needs to be conducted in a methodological manner, with adequate identification of owners, alternatives considered, documented decisions, and implementation planning as required under the HIPAA Security Rule.

How we do it:

Clearwater employs a proprietary methodology based on years of experience working with clients to create OCR-Quality™ responses that deliver results. We leverage our OCR-Quality™ risk analysis – populated in our IRM|Analysis™ software – and our professional services team to manage the entire process based on our careful study of the explicit HHS/OCR guidance and NIST SP 800-39 – Managing Information Security Risk.

Program features include:

  • Introduction to workflows for completing a NIST-based risk response
  • Historical documentation of alternatives considered, investment options, decisions made, tasks assigned, and responsible parties
  • Project management through completion
  • The option to complete the work under direction of outside counsel
  • Periodic project status reports
  • Risk Response Planning Executive Summary Report
3

Cyber Risk Services™ (CRS)

A Strategic and Complete 3-Year Program

Hospital leaders tell us there is a lack of skills, knowledge, experience, and funding to stand up, operate, and maintain an effective cyber risk management program. One that will protect patient information, ensure patient safety, and safeguard a hospital’s finances and reputation.

How we do it:

Clearwater CRS combines its award-winning IRM|Pro™ ECRMS platform, expert professional services, and proven methodology to rapidly build your cyber risk management program.  We also work with you to help you assess, respond to, and manage cybersecurity risks on an ongoing basis.  We offer three levels of service at fixed monthly fees to ensure predictable costs that won’t break your budget and that match your specific needs. Levels include:

  • CRS Essential – best suited for community hospitals, small regional hospitals, medical practice groups, business associates
  • CRS Plus – best suited for small IDNs, regional health systems, 50+ medical practice groups, large covered entities
  • CRS Enterprise – best suited for large IDNs, select and other covered entities
4

Vulnerability Assessment & Penetration Testing

A Full Suite of OCR-Quality™ Testing Services

Conducting an OCR-Quality™ Technical Evaluation required by 45 CFR §164.308(a)(8) helps organizations test the effectiveness of the controls they’ve implemented and meet the explicit HIPAA Security Rule requirements for periodic technical evaluation.

How we do it:

Clearwater’s talented security experts combine its cutting-edge tools, comprehensive manual testing, and unparalleled, real-world technology experience to improve your overall security posture through this important monitoring activity.  We will identify weaknesses that could be exploited, conduct a series of authorized simulated attacks, and conduct a vulnerability and penetration test of your wireless network, as well as other important assessments and tests. The service includes:

  • Internal and External Vulnerability Assessments
  • Penetration Testing
  • WLAN Security Testing
  • Web Applications Testing
  • Network Architectural Assessment
  • Security Awareness Assessment
5

NIST Cybersecurity Framework Adoption

Taking a Step Beyond Compliance

Information security risk management has been a long-standing requirement in healthcare privacy and security regulations. However, compliance with regulations does not necessarily imply an organization has a secure information systems environment.

How we do it:

Clearwater’s NIST Cybersecurity Framework Implementation WorkShop™ assists your organization in adopting the government recommended cybersecurity framework while offering education, procedures and software to help you strengthen and maintain your information security program. The service includes:

  • Documentation your current Profile and Implementation Tier
  • Defining your target Profile
  • Creating an action plan to achieve your Target Profile
  • Dynamically created dashboards show current implementation and any gaps
6

Virtual CISO

From Interim to Full-time Virtual CISO

Lead.  Establish.  Implement. Mature. Improve. A completely tailorable service based on your own compliance and cyber risk management requirements. A service that comes complete with our SaaS-based, IRM|Analysis™ to help create an OCR-Quality™ risk analysis.  Services can be delivered both on-site and remotely.

How we do it:

Let Clearwater augment or fill your security and risk management staffing requirements with knowledgeable, experienced individuals to help you achieve your compliance and cyber risk management program goals. We can provide program leadership and advisory services, formalize information risk management program governance, and develop security and information risk management policies and procedures as required.

Other Tasks can include:

  • Security and information risk management training and education
  • Completion of all regulatory-driven security assessments
  • Establishment of a third-party risk management program
  • Risk Management Program Maturity Assessment
7

Third-Party Risk Management

Achieve Visibility and Manage Your Business Associates

Third-party cybersecurity risks are increasing in intensity and complexity threatening the critical data you entrust to your business associates. Clearwater can establish or strengthen your business associate risk management program, helping you obtain the assurance you need that your BAs are safeguarding the information entrusted to them, to reduce the risk of reputational and financial repercussions to your organization.

How we do it:

Our Three-Phase Risk Management Process begins with a complete inventory of your BAs and their agreements.  Phase Two identifies high-risk business associates (BAs), distributes attestation questionnaires, and determines follow-up actions.  Phase Three updates executives and the board through a Findings, Observations and Recommendations (FOR) report.

Program features include:

  • Establishing a baseline of the current BA program
  • Identifying key BA risk management capabilities for improvement
  • Developing a prioritized roadmap for implementing the FOR
  • Leveraging industry-leading assessment tools and templates
8

HIPAA 10-Point Assessment

Where Do You Stand? What to Do Next?  

Find out where you stand, and get a clear plan of action with our tactical assessment of your current HIPAA compliance and cyber risk management program. Meet the challenges of increasing interoperability and data sharing while being confident that your organization is following HIPAA regulations.

How we do it:

Clearwater’s cybersecurity and HIPAA compliance assessment is an effective diagnostic tool that is carried out by our seasoned professionals, assessing your cyber risk management and HIPAA compliance program effectiveness in 10 critical areas to show you what you are and where you need to address or modify, including:

  • Risk Analysis
  • Risk Response
  • Security non-technical Evaluation
  • Security Technical Evaluation
9

Medical Device Security

Comprehensive Cybersecurity & Risk Management

Unauthorized access to biomedical device may not only threaten confidentiality of ePHI, but could also compromise availability of service and integrity of data critical to patient care.

How we do it:

Clearwater provides a comprehensive medical device security and risk management solution, which includes the discovery, inventory, and categorization of medical devices based on patient safety risk and other criteria.  All of which help provide you with actionable insights, workflow management, and documented remediation actions.  Program Features include::

  • Improve lifecycle management
  • Actionable insights to critical vulnerabilities
  • OCR-Quality™ Risk Analysis
  • End-to-End Risk Management
  • Prioritize security actions
10

M&A Due Diligence

Upgrade Your Customary M&A Due Diligence Process

Assess cybersecurity before closing on any investment to avoid financial penalties or possible negative media exposure.  Identify key cyber risks, security and compliance gaps that could impact your investment.

How we do it:

Designed for private equity firms, law firms, and healthcare organizations that are involved in M&A transactions of healthcare entities. Clearwater conducts an efficient evaluation of cybersecurity and HIPAA Compliance risk of the target investment and have options to match the budget, timing and scope as appropriate. In as little as 30 days we deliver an Investment Committee-ready report, and identify specific actions that can be taken to resolve critical risks.

Areas of discovery include the completeness of:

  • HIPAA Compliance
  • Cybersecurity Program
  • Business Associate / Vendor Risk Management
  • Privacy, Security, and Breach Notification Policies and Procedures

What If OCR Contacts Us?

To date, there have been more than 61 Office for Civil Rights enforcement actions. Eighty-eight percent of those enforcement actions relating to ePHI included adverse findings in an organizations’ risk analysis and risk management.

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to OCR.